Java GAE，openid4java在谷歌上发现失败，权限被拒绝 [英] Java GAE, openid4java fails while doing discovery on google, Permission Denied

问题描述

我正在使用Openid4Java在GAE上为我的应用程序实现Openid。我也使用Shiro来保证安全。前一天，我已经到了一个阶段，因为凭证匹配失败，例如发现，创建认证请求，获取claims_id都运行正常。
昨天，所有地狱爆发了，自那时以来，Google上的发现失败了。
我已验证的事情：

• 雅虎正在正常工作（端到端）和


• Discovery for Google在我的本地开发框中工作正常（当然，在返回到本地主机URL时失败）。


• Appengine上的应用程序已启用计费功能，以便内部亚迪斯可以打开

我试过Google的以下发现网址：
（以下某些URL有空格，因为我无法发布超过2个链接）。他们没问题。

• https：//www.google.com/accounts/o8/id


• https：//www.google.com/accounts/o8/ud（ https://developers.google.com/accounts/docs/OpenID?hl=es-ES#endpoint ）

堆栈跟踪之前的一些有趣的日志：

  org.openid4java.discovery.Discovery discover：开始发现URL标识符：https：//www.google.com/accounts/o8/id 
 
 org.openid4java.discovery.yadis.YadisResolver retrieveXrdsLocation：在以下位置执行HTTP HEAD：https：//www.google。 com / accounts / o8 / id ... 
 
 org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager $ 1 getConnection：获取连接：{s}  - > https：//www.google .com，timeout = 3000 
 
 org.apache.http.impl.conn.tsccm.ConnPoolByRoute getEntryBlocking：[{s}  - > https：//www.google.com]保持活跃： 0，总发布：0，总分配ed：0 out of 20 
 
 org.apache.http.impl.conn.tsccm.ConnPoolByRoute getFreeEntry：没有空闲连接[{s}  - > https：//www.google.com] [ null] 
 
 org.apache.http.impl.conn.tsccm.ConnPoolByRoute getEntryBlocking：可用容量：2出2 [[s]  - > https：//www.google.com] [ null] 
 
 org.apache.http.impl.conn.tsccm.ConnPoolByRoute createEntry：创建新连接[{s}  - > https：//www.google.com] 
 
 org.apache.http.impl.conn.DefaultClientConnectionOperator openConnection：连接到www.google.com:443 
 
 org.apache.http.impl.conn.DefaultClientConnection关闭：连接org.apache .http.impl.conn.DefaultClientConnection @ 197d562已关闭
  

堆栈轨迹如下：

  org.apache.shiro.openid4j.DiscoveryException：无法根据解析的discoveryId发现OpenId提供程序'https://www.google.com / accounts / o8 / id'（指定providerId'null'）
在org.apache.shiro.openid4j .DefaultOpenIdService.getDiscoveryInfo（DefaultOpenIdService.java:182）
 at org.apache.shiro.openid4j.DefaultOpenIdService.constructRequestFromOpenIdUrl（DefaultOpenIdService.java:123）
 at org.apache.shiro.openid4j.authc.Open4jFilter .constructOpenIdRequest（Open4jFilter.java:344）
 at org.apache.shiro.openid4j.authc.Open4jFilter.executeOpenidLogin（Open4jFilter.java:327）
 at org.apache.shiro.openid4j.authc.Open4jFilter .onAccessDenied（Open4jFilter.java:304）
在org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied（AccessControlFilter.java:133）
在org.apache.shiro.web.filter.AccessControlFilter .onPreHandle（AccessControlFilter.java:162）
在org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued（PathMatchingFilter.java:203）
在org.apache.shiro.web.filter.PathMatchingFilter .preHandle（PathMatchingFilter.java:178）
在org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal（AdviceFilter.java:131）
在org.apache.shiro.web.servlet.On cePerRequestFilter.doFilter（OncePerRequestFilter.java:125）
 at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter（ProxiedFilterChain.java:66）
 at org.apache.shiro.web.servlet。 AbstractShiroFilter.executeChain（AbstractShiroFilter.java:449）
处org.apache.shiro.subject.support org.apache.shiro.web.servlet.AbstractShiroFilter $ 1.call（AbstractShiroFilter.java:365）
 .SubjectCallable.doCall（SubjectCallable.java:90）
 at org.apache.shiro.subject.support.SubjectCallable.call（SubjectCallable.java:83）
 at org.apache.shiro.subject.support .DelegatingSubject.execute（DelegatingSubject.java:383）
 at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal（AbstractShiroFilter.java:362）
 at org.apache.shiro.web.servlet .OncePerRequestFilter.doFilter（OncePerRequestFilter.java:125）
在org.mortbay.jetty.servlet.ServletHandler $ CachedChain.doFilter（ServletHandler.java:1157）
在com.google.apphosting.utils.servlet .ParseBlobUploadFilter.doFilter（ParseBlobU ploadFilter.java:125）
在org.mortbay.jetty.servlet.ServletHandler $ CachedChain.doFilter（ServletHandler.java:1157）
在com.google.apphosting.runtime.jetty.SaveSessionFilter.doFilter（ SaveSessionFilter.java:35）
 at org.mortbay.jetty.servlet.ServletHandler $ CachedChain.doFilter（ServletHandler.java:1157）
 at com.google.apphosting.utils.servlet.JdbcMySqlConnectionCleanupFilter.doFilter（ JdbcMySqlConnectionCleanupFilter.java:60）
 at org.mortbay.jetty.servlet.ServletHandler $ CachedChain.doFilter（ServletHandler.java:1157）
 at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter（ TransactionCleanupFilter.java:43）
在org.mortbay.jetty.servlet.ServletHandler $ CachedChain.doFilter（ServletHandler.java:1157）
在org.mortbay.jetty.servlet.ServletHandler.handle（ServletHandler。 java：388）
 at org.mortbay.jetty.security.SecurityHandler.handle（SecurityHandler.java:216）
 at org.mortbay.jetty.servlet.SessionHandler.handle（SessionHandler.java:182） $或
 g.mortbay.jetty.handler.ContextHandler.handle（ContextHandler.java:765）
 at org.mortbay.jetty.webapp.WebAppContext.handle（WebAppContext.java:418）
 at com.google。 apphosting.runtime.jetty.AppVersionHandlerMap.handle（AppVersionHandlerMap.java:266）
 at org.mortbay.jetty.handler.HandlerWrapper.handle（HandlerWrapper.java:152）
 at org.mortbay.jetty。在org.mortbay.jetty.HttpConnection.handleRequest Server.handle（Server.java:326）
（HttpConnection.java:542）
在org.mortbay.jetty.HttpConnection $ RequestHandler.headerComplete（HttpConnection的。 Java的：在com.google.apphosting.runtime.jetty.RpcRequestParser.parseAvailable（RpcRequestParser.java:76 923）
）
在org.mortbay.jetty.HttpConnection.handle（HttpConnection.java:404） 
 at com.google.apphosting.runtime.jetty.JettyServletEngineAdapter.serviceRequest（JettyServletEngineAdapter.java:146）
 at com.google.apphosting.runtime.JavaRuntime $ RequestRunnable.run（JavaRuntime.java:446） 
，位于com.google.tracing.TraceContext $ TraceC ontextRunnable.runInContext（TraceContext.java:435）
 at com.google.tracing.TraceContext $ TraceContextRunnable $ 1.run（TraceContext.java:442）
 at com.google.tracing.CurrentContext.runInContext（CurrentContext的.java：186）
在com.google.tracing.TraceContext $ AbstractTraceContextCallback.runInInheritedContextNoUnref（TraceContext.java:306）
在com.google.tracing.TraceContext $ AbstractTraceContextCallback.runInInheritedContext（TraceContext.java:298 ）
 com.google.tracing.TraceContext $ TraceContextRunnable.run（TraceContext.java:439）
 at com.google.apphosting.runtime.ThreadGroupPool $ PoolEntry.run（ThreadGroupPool.java:251）
在java.lang.Thread.run（Thread.java:724）
引起的：org.openid4java.discovery.yadis.YadisException：0x704：I / O传输错误：权限被拒绝：尝试访问未经许可阻止收件人。 （mapped-IPv4）
 at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation（YadisResolver.java:479）
 at org.openid4java.discovery.yadis.YadisResolver.discover（YadisResolver.java:249 ）美元，org.openid4java.discovery.yadis.YadisResolver.discover（YadisResolver.java:233 b $ b）
在org.openid4java.discovery.yadis.YadisResolver.discover（YadisResolver.java:167）
在org.openid4java.discovery.Discovery.discover（Discovery.java:147）
在org.openid4java.discovery.Discovery.discover（Discovery.java:129）
在org.openid4java.consumer。 ConsumerManager.discover（ConsumerManager.java:568）
 at org.apache.shiro.openid4j.DefaultOpenIdService.getDiscoveryInfo（DefaultOpenIdService.java:178）
 ... 49 more 
引起：java .net.SocketException：权限被拒绝：尝试未经许可访问被阻止的收件人。 （mapped-IPv4）
 com.google.appengine.api.socket.SocketApiHelper.translateError（SocketApiHelper.java:107）
 com.google.appengine.api.socket.SocketApiHelper.translateError（SocketApiHelper .java：118）
 at com.google.appengine.api.socket.SocketApiHelper.makeSyncCall（SocketApiHelper.java:82）
 at com.google.appengine.api.socket.AppEngineSocketImpl.connectSocket（AppEngineSocketImpl .java：421）
 at com.google.appengine.api.socket.AppEngineSocketImpl.connectToAddress（AppEngineSocketImpl.java:366）
 at com.google.appengine.api.socket.AppEngineSocketImpl.connect（AppEngineSocketImpl .java：352）
在java.net.Socket.connect（Socket.java:600）
在sun.security.ssl.SSLSocketImpl.connect（SSLSocketImpl.java:623）
 at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket（SSLSocketFactory.java:549）
 at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection（DefaultClientConnectionOperator.java:180）
 at org.apache.http.impl.conn.AbstractPoolEntry.ope n（AbstractPoolEntry.java:151）
 at org.apache.http.impl.conn.AbstractPooledConnAdapter.open（AbstractPooledConnAdapter.java:125）
 at org.apache.http.impl.client.DefaultRequestDirector。在org.apache.http.impl.client.DefaultRequestDirector.execute处使用tryConnect（DefaultRequestDirector.java:645）
（DefaultRequestDirector.java:480）$ or $ 
在org.apache.http.impl.client.AbstractHttpClient。执行（AbstractHttpClient.java:906）
处org.apache.http.impl.client.AbstractHttpClient org.apache.http.impl.client.AbstractHttpClient.execute（AbstractHttpClient.java:805）
。在org.openid4java.util.HttpCache.head（HttpCache.java:336）处执行（AbstractHttpClient.java:784）
 org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation处的
（YadisResolver.java： 401）
 ... 56 more 
  

依赖方代码与SampleConsumer非常相似（openid4java的一部分），但实际上是shiro上的补丁（openid4j）。这似乎与Sample Consumer一致。

在我看来，我缺少一些基本的东西。任何指针都可以帮助你。

解决方案

当你试图连接<$ c $时，似乎你使用的库失败c> www.google.com:443 。

套接字API有不少限制，最明显的是它不允许连接到谷歌服务器（除了一些电子邮件和DNS的例外） 。这是您错误的来源。

如果您希望您的应用使用OpenID进行身份验证，那么请使用GAE提供的API： https://developers.google.com/appengine/articles/openid

I am using Openid4Java to implement Openid for my app on GAE. I am also using Shiro for security. The day before i had reached a stage where things were failing for credentials matching, i.e discovery, making auth request, getting claimed_id were all working. Yesterday all hell broke lose and since then discovery on Google is failing. things that i have verified:

• Yahoo is working fine (end to end)and
• Discovery for google is working fine on my local dev box(it ofcourse fails while returning to my localhost URL).
• The application on appengine has billing enabled so that internally Yadis can open socket connections.

I have tried the following discovery urls for Google: (some URLS below have spaces because i cant post more than 2 links). they are fine otherwise.

• https: //www.google.com/accounts/o8/id
• https: //www.google.com/accounts/o8/ud (https://developers.google.com/accounts/docs/OpenID?hl=es-ES#endpoint)

A few interesting logs before the stack trace:

org.openid4java.discovery.Discovery discover: Starting discovery on URL identifier: https: //www.google.com/accounts/o8/id

org.openid4java.discovery.yadis.YadisResolver retrieveXrdsLocation: Performing HTTP HEAD on: https://www.google.com/accounts/o8/id ...

org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager$1 getConnection: Get connection: {s}->https://www.google.com, timeout = 3000

org.apache.http.impl.conn.tsccm.ConnPoolByRoute getEntryBlocking: [{s}->https://www.google.com] total kept alive: 0, total issued: 0, total allocated: 0 out of 20

org.apache.http.impl.conn.tsccm.ConnPoolByRoute getFreeEntry: No free connections [{s}->https://www.google.com][null]

org.apache.http.impl.conn.tsccm.ConnPoolByRoute getEntryBlocking: Available capacity: 2 out of 2 [{s}->https://www.google.com][null]

org.apache.http.impl.conn.tsccm.ConnPoolByRoute createEntry: Creating new connection [{s}->https://www.google.com]

org.apache.http.impl.conn.DefaultClientConnectionOperator openConnection: Connecting to www.google.com:443

org.apache.http.impl.conn.DefaultClientConnection close: Connection org.apache.http.impl.conn.DefaultClientConnection@197d562 closed

the stack trace is as follows:

org.apache.shiro.openid4j.DiscoveryException: Unable to discover OpenId Provider based on resolved discoveryId 'https://www.google.com/accounts/o8/id' (specified providerId 'null')
at org.apache.shiro.openid4j.DefaultOpenIdService.getDiscoveryInfo(DefaultOpenIdService.java:182)
at org.apache.shiro.openid4j.DefaultOpenIdService.constructRequestFromOpenIdUrl(DefaultOpenIdService.java:123)
at org.apache.shiro.openid4j.authc.Open4jFilter.constructOpenIdRequest(Open4jFilter.java:344)
at org.apache.shiro.openid4j.authc.Open4jFilter.executeOpenidLogin(Open4jFilter.java:327)
at org.apache.shiro.openid4j.authc.Open4jFilter.onAccessDenied(Open4jFilter.java:304)
at org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied(AccessControlFilter.java:133)
at org.apache.shiro.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:162)
at org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued(PathMatchingFilter.java:203)
at org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:178)
at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at com.google.apphosting.utils.servlet.ParseBlobUploadFilter.doFilter(ParseBlobUploadFilter.java:125)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at com.google.apphosting.runtime.jetty.SaveSessionFilter.doFilter(SaveSessionFilter.java:35)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at com.google.apphosting.utils.servlet.JdbcMySqlConnectionCleanupFilter.doFilter(JdbcMySqlConnectionCleanupFilter.java:60)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
at com.google.apphosting.runtime.jetty.AppVersionHandlerMap.handle(AppVersionHandlerMap.java:266)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
at com.google.apphosting.runtime.jetty.RpcRequestParser.parseAvailable(RpcRequestParser.java:76)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at com.google.apphosting.runtime.jetty.JettyServletEngineAdapter.serviceRequest(JettyServletEngineAdapter.java:146)
at com.google.apphosting.runtime.JavaRuntime$RequestRunnable.run(JavaRuntime.java:446)
at com.google.tracing.TraceContext$TraceContextRunnable.runInContext(TraceContext.java:435)
at com.google.tracing.TraceContext$TraceContextRunnable$1.run(TraceContext.java:442)
at com.google.tracing.CurrentContext.runInContext(CurrentContext.java:186)
at com.google.tracing.TraceContext$AbstractTraceContextCallback.runInInheritedContextNoUnref(TraceContext.java:306)
at com.google.tracing.TraceContext$AbstractTraceContextCallback.runInInheritedContext(TraceContext.java:298)
at com.google.tracing.TraceContext$TraceContextRunnable.run(TraceContext.java:439)
at com.google.apphosting.runtime.ThreadGroupPool$PoolEntry.run(ThreadGroupPool.java:251)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.openid4java.discovery.yadis.YadisException: 0x704: I/O transport error: Permission denied: Attempt to access a blocked recipient without permission. (mapped-IPv4)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:479)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:249)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:233)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:167)
at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:568)
at org.apache.shiro.openid4j.DefaultOpenIdService.getDiscoveryInfo(DefaultOpenIdService.java:178)
... 49 more
Caused by: java.net.SocketException: Permission denied: Attempt to access a blocked recipient without permission. (mapped-IPv4)
at com.google.appengine.api.socket.SocketApiHelper.translateError(SocketApiHelper.java:107)
at com.google.appengine.api.socket.SocketApiHelper.translateError(SocketApiHelper.java:118)
at com.google.appengine.api.socket.SocketApiHelper.makeSyncCall(SocketApiHelper.java:82)
at com.google.appengine.api.socket.AppEngineSocketImpl.connectSocket(AppEngineSocketImpl.java:421)
at com.google.appengine.api.socket.AppEngineSocketImpl.connectToAddress(AppEngineSocketImpl.java:366)
at com.google.appengine.api.socket.AppEngineSocketImpl.connect(AppEngineSocketImpl.java:352)
at java.net.Socket.connect(Socket.java:600)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:623)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
at org.openid4java.util.HttpCache.head(HttpCache.java:336)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:401)
... 56 more

the relying party code is pretty similar to the SampleConsumer (part of openid4java) but is actually a patch on shiro(openid4j). It seems to be in accordance with Sample Consumer.

Seems to me that i am missing something basic here. Any pointers will really help.

解决方案

It seems that the libraries you use are failing when trying to make connections to www.google.com:443.

Sockets API has quite a few limitations, most notably it does not allow connections to google servers (with some exceptions for email & DNS). This is a source of your errors.

If you want your app to use OpenID for auth then just use GAE provided APIs: https://developers.google.com/appengine/articles/openid

这篇关于Java GAE，openid4java在谷歌上发现失败，权限被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！